StarCruft (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.starcruft (Back to overview)
StarCruft

Actor(s): APT37
There is no description at this point.
References

2016-06-17 ⋅ Kaspersky Labs ⋅ Costin Raiu, Anton Ivanov
Operation Daybreak
StarCruft APT37
Yara Rules

[TLP:WHITE] win_starcruft_auto (20230125 | Detects win.starcruft.)
rule win_starcruft_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.starcruft."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d8d62feffff 51 ff15???????? 68???????? 8d9594feffff 52 ff15???????? }
            // n = 7, score = 100
            //   8d8d62feffff         | lea                 ecx, [ebp - 0x19e]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   68????????           |                     
            //   8d9594feffff         | lea                 edx, [ebp - 0x16c]
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_1 = { 8d9554fbffff 52 6a06 8d854cfbffff 50 }
            // n = 5, score = 100
            //   8d9554fbffff         | lea                 edx, [ebp - 0x4ac]
            //   52                   | push                edx
            //   6a06                 | push                6
            //   8d854cfbffff         | lea                 eax, [ebp - 0x4b4]
            //   50                   | push                eax

        $sequence_2 = { c78528feffff00000000 eb0f 8b8528feffff 83c001 898528feffff 83bd28feffff04 7d2b }
            // n = 7, score = 100
            //   c78528feffff00000000     | mov    dword ptr [ebp - 0x1d8], 0
            //   eb0f                 | jmp                 0x11
            //   8b8528feffff         | mov                 eax, dword ptr [ebp - 0x1d8]
            //   83c001               | add                 eax, 1
            //   898528feffff         | mov                 dword ptr [ebp - 0x1d8], eax
            //   83bd28feffff04       | cmp                 dword ptr [ebp - 0x1d8], 4
            //   7d2b                 | jge                 0x2d

        $sequence_3 = { 83bdb0feffffff 7507 33c0 e9???????? 6a00 8b85b0feffff 50 }
            // n = 7, score = 100
            //   83bdb0feffffff       | cmp                 dword ptr [ebp - 0x150], -1
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   6a00                 | push                0
            //   8b85b0feffff         | mov                 eax, dword ptr [ebp - 0x150]
            //   50                   | push                eax

        $sequence_4 = { 83f97c 7538 83bde4feffff01 7520 8b15???????? 0395dcfeffff 8995e0feffff }
            // n = 7, score = 100
            //   83f97c               | cmp                 ecx, 0x7c
            //   7538                 | jne                 0x3a
            //   83bde4feffff01       | cmp                 dword ptr [ebp - 0x11c], 1
            //   7520                 | jne                 0x22
            //   8b15????????         |                     
            //   0395dcfeffff         | add                 edx, dword ptr [ebp - 0x124]
            //   8995e0feffff         | mov                 dword ptr [ebp - 0x120], edx

        $sequence_5 = { 8bec 83ec0c c745f800000000 8b4508 8945fc 8b4dfc 8b55fc }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_6 = { 8b4d10 034dfc 8801 ebc3 8b5514 8b450c 8902 }
            // n = 7, score = 100
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   034dfc               | add                 ecx, dword ptr [ebp - 4]
            //   8801                 | mov                 byte ptr [ecx], al
            //   ebc3                 | jmp                 0xffffffc5
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8902                 | mov                 dword ptr [edx], eax

        $sequence_7 = { 8d55c8 52 8b4508 50 e8???????? 83c410 8b4dcc }
            // n = 7, score = 100
            //   8d55c8               | lea                 edx, [ebp - 0x38]
            //   52                   | push                edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8b4dcc               | mov                 ecx, dword ptr [ebp - 0x34]

        $sequence_8 = { 83c404 8945f0 8955f4 8b55d0 52 e8???????? 83c404 }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_9 = { 68???????? 8b85e0feffff 50 ff15???????? 85c0 7508 83c8ff }
            // n = 7, score = 100
            //   68????????           |                     
            //   8b85e0feffff         | mov                 eax, dword ptr [ebp - 0x120]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   83c8ff               | or                  eax, 0xffffffff

    condition:
        7 of them and filesize < 294912
}
Download all Yara Rules
StarCruft Propose Change

References

Yara Rules

StarCruft
